The EU General Data Protection Regulation (GDPR) has been years in the making.
At its heart, the GDPR brings data protection to EU citizens while harmonizing distinct national rules and regulations into a single law that applies to the personal data of EU citizens — wherever they are from and wherever their data is stored.
To add further fuel to the flames of new data protection regulations, the EU-US Privacy Shield framework was made available as of Aug. 1. Companies may now sign up with the US Department of Commerce to become certified. Through the self-certification process, companies will be able to assert that their data collection and processing practices are in compliance with the new Privacy Shield data protection standards, as well as provide transparent and affordable dispute resolution mechanisms.
US companies now have clear directives when it comes to compliance with individual privacy of EU citizens, meeting these new standards may require some adjustments to data management practices.
However, this legislative progress faces potential derailing following the UK’s vote to exit the European Union – a.k.a. Brexit. So how will Brexit impact the EU GDPR and Privacy Shield?
Prepare Now for GDPR
Companies with a specific European presence will be subject to GDPR requirements, but international companies with websites offering goods or services to EU citizens and cloud services developed by US-based companies may also be subject to the regulation. Most courts currently agree the current law only maintains jurisdiction over companies with an established business in a particular country.
The law imposes fines of up to four percent of annual global revenue for data breaches, required privacy impact assessments (PIAs), privacy and security “by design” strategies, inventories and data mapping of personal information across business systems, mandatory appointments of Data Protection Officers, and evidence that all of these actions are followed through.
This undertaking requires a major shift for many companies — even those with privacy programs currently in place. New obligations for the Chief Information Officer (CIO), Chief Information Security Officer (CISO), and the business mean that if your business is waiting for the law to come into effect, you are probably already too late.
Will Brexit Affect GDPR Regulations?
While Brexit may cause angst for a number of reasons, data privacy and data protection should not be one of them.
We currently view the UK and the EU as a single digital market, and we should continue do so until it isn’t. The UK will still be subject to the GDPR rules when it comes into effect in May 2018, to the extent that UK organizations have an EU presence, or provides goods, services or monitoring to citizens of the EU.
So, much like the US and other countries outside of the EU, the UK will need to move forward with GDPR preparation. This means that in all likelihood, US companies doing business with both the UK and EU will likely not experience a dramatic shift.
Additionally, the UK Information Commissioner’s Office (ICO) provided a thoughtful and influential voice of reason for data protection negotiations in Europe and was very prominent in building the GDPR regulations. So, it’s likely that the UK’s future outlook on data protection will align closely with both GDPR and Privacy Shield.
UK Citizens’ Data Transfer
Businesses can accomplish transfer of personally identifiable information (PII) data between the UK and EU through a number of potential mechanisms including possible adequacy decisions or binding corporate resolutions. It’s highly unlikely that either the EU or the UK would want to impact the flow of commerce between important trade partners given a reasonable way to avoid doing so.
With regards to Privacy Shield and the transfer of UK citizens’ data to the US, while the UK could position itself in such a way to make data transfer for its citizens to the US more lenient, that would create further unnecessary friction between the UK and the EU. Europe’s stringent laws have set a high bar for data protection and transfers. It’s much more likely the UK’s future mechanisms will be similar to what’s already been established.
In the meantime, organizations should continue to move forward with GDPR preparation as doing so will enable regulatory compliance, as well as optimization of resources and risk management for information assets to support responsible, ethical and lawful collection, use, sharing, maintenance and disposition of information.
Vendors that use data centers in the UK to serve European markets, and those with data centers in the works may feel the impact. Cloud providers may pause further development plans until the Brexit strategy becomes clear. If the UK remains part of the European economic area and digital single market, it will lessen the impact.
Alternatively, the UK would need to develop its own data protection laws that would be deemed as adequate by the EU or potentially jeopardize companies wishing to use data centers in the UK to serve broader European customers.
No Country is a Data Island
So while Brexit may separate the UK from the European Union, the reality is no country is an island from a data protection perspective. Data surrounds us and without appropriate controls, it can quickly overwhelm us. Brexit or no Brexit, data is growing too fast to keep up, creating both the greatest opportunity and the greatest risk for organizations.
Sound data protection practices, such as those outlined by both the GDPR and Privacy Shield, are best practices wherever you operate in the world. As politicians negotiate the UK’s future status as a world player, CIOs, CISOs and Chief Privacy Officers (CPOs) should move ahead with their GDPR strategies in combination with policies, education, technical automation and measurement. Whether organizations find themselves inside or outside of the EU, these best practices will allow them to appropriately balance collaboration and transparency with data protection and privacy.